So today I received an abuse email from hetzner with logs of my server's IP scanning for port 22 on the 192.168.x.x IP range.
Problem, the only stuff that we changed is adding a Minecraft plugin and after decompiling it nothing looks out of place.
The suspicious activity also looks like it stopped during the night, but I now have no idea where it could come from.
I tried to look up packets with wireshark but didn't find anything of use.
Does anyone have an idea to fix this ?

I was thinking of catching every outgoing packets to port 22 and log the process responsible for it, but I don't know how to do it, don't know if it is possible, and don't know if this is a good idea.

So right now all of my services are down, all my webservers, Minecraft proxy and server.
Nothing is running right now until I find the cause.

Found the issue, a miner got launched on the server, currently looking at reversing all the stack.
And rn there is an irc server used to get hooks.

Ok figured out everything.
I know the name of the botnet, the infos, how it works, have a backup of everything (syslogs and home directory of the miner).
I might go to the police with all of those infos, even though i don't think they can do much.

Sign in to participate in the conversation
Fosstodon

Fosstodon is an English speaking Mastodon instance that is open to anyone who is interested in technology; particularly free & open source software.